Lloyd's Minimum Standards — Cyber and IT Security
Mandatory minimum standards for all managing agents operating in the Lloyd's market. Covers IT governance and strategy, information security policy, risk assessment, access control, application security, change management, business continuity and disaster recovery, network security, data protection and classification, incident management, third-party and outsourcing risk, and security monitoring. Compliance assessed through Lloyd's annual oversight process.
AC (19) AT (6) AU (14) CA (5) CM (14) CP (11) IA (6) IR (9) MA (1) MP (6) PE (22) PL (4) PM (19) PS (5) PT (8) RA (7) SA (10) SC (16) SI (11) SR (8)
AC Access Control
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | MS8.2 |
| AC-02 | Account Management | MS8.3 |
| AC-03 | Access Enforcement | MS1.1MS2.1MS5.1MS6.1MS8.3 |
| AC-04 | Information Flow Enforcement | BP2.2MS13.2MS6.1MS8.9 |
| AC-05 | Separation Of Duties | MS2.1MS5.1MS8.3 |
| AC-06 | Least Privilege | MS1.1MS5.1MS8.3 |
| AC-07 | Unsuccessful Login Attempts | MS8.3 |
| AC-08 | System Use Notification | MS8.3 |
| AC-10 | Concurrent Session Control | MS8.3 |
| AC-11 | Session Lock | MS8.3 |
| AC-12 | Session Termination | MS8.3 |
| AC-14 | Permitted Actions Without Identification Or Authentication | MS8.3 |
| AC-16 | Automated Labeling | MS7.1MS8.7 |
| AC-17 | Remote Access | MS8.3MS8.9 |
| AC-18 | Wireless Access Restrictions | MS8.9 |
| AC-19 | Access Control For Portable And Mobile Devices | MS8.3 |
| AC-20 | Use Of External Information Systems | MS13.1MS6.1MS8.3 |
| AC-24 | Access Control Decisions | BP2.1MS8.3 |
| AC-25 | Reference Monitor | MS8.3 |
AT Awareness and Training
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | MS8.13MS8.2 |
| AT-02 | Security Awareness | MS8.13 |
| AT-03 | Security Training | CRM.1MS8.13 |
| AT-04 | Security Training Records | MS8.13 |
| AT-05 | Contacts With Security Groups And Associations | MS8.13 |
| AT-06 | Training Feedback | MS8.13 |
AU Audit and Accountability
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | MS8.2 |
| AU-02 | Auditable Events | MS13.2MS2.1MS5.1MS8.12 |
| AU-03 | Content Of Audit Records | MS8.12 |
| AU-04 | Audit Storage Capacity | MS8.12 |
| AU-05 | Response To Audit Processing Failures | MS8.12 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | MS2.1MS5.1MS8.12MS8.5 |
| AU-07 | Audit Reduction And Report Generation | MS8.12 |
| AU-08 | Time Stamps | MS8.12 |
| AU-09 | Protection Of Audit Information | MS8.12 |
| AU-10 | Non-Repudiation | MS5.1MS8.12 |
| AU-11 | Audit Record Retention | MS13.2MS8.12 |
| AU-12 | Audit Record Generation | MS2.1MS8.12 |
| AU-13 | Monitoring for Information Disclosure | MS8.12 |
| AU-14 | Session Audit | MS8.12 |
CA Security Assessment and Authorization
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | MS8.2 |
| CA-02 | Security Assessments | MS10.2 |
| CA-03 | Information System Connections | MS13.1MS8.9 |
| CA-07 | Continuous Monitoring | MS10.2MS8.12 |
| CA-08 | Penetration Testing | MS8.11MS9.2 |
CM Configuration Management
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | MS8.2 |
| CM-02 | Baseline Configuration | MS8.4 |
| CM-03 | Configuration Change Control | MS5.1MS8.4 |
| CM-04 | Monitoring Configuration Changes | MS8.4 |
| CM-05 | Access Restrictions For Change | MS5.1MS8.4 |
| CM-06 | Configuration Settings | MS8.4 |
| CM-07 | Least Functionality | MS8.10MS8.4 |
| CM-08 | Information System Component Inventory | MS1.1MS8.4MS9.3 |
| CM-09 | Configuration Management Plan | MS8.4 |
| CM-10 | Software Usage Restrictions | MS8.4 |
| CM-11 | User-Installed Software | MS8.10MS8.4 |
| CM-12 | Information Location | MS1.1MS13.1MS2.1MS6.1MS8.7MS9.1 |
| CM-13 | Data Action Mapping | BP2.2MS1.1MS13.1MS13.2MS6.1MS8.7MS9.1 |
| CM-14 | Signed Components | MS8.4 |
CP Contingency Planning
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | MS8.2MS8.6 |
| CP-02 | Contingency Plan | CRM.3MS8.6MS9.1 |
| CP-03 | Contingency Training | MS8.6MS9.2 |
| CP-04 | Contingency Plan Testing And Exercises | CRM.3MS8.6MS9.2 |
| CP-06 | Alternate Storage Site | MS8.6 |
| CP-07 | Alternate Processing Site | MS8.6 |
| CP-08 | Telecommunications Services | MS8.6 |
| CP-09 | Information System Backup | MS8.6 |
| CP-10 | Information System Recovery And Reconstitution | CRM.3MS8.6 |
| CP-12 | Safe Mode | MS8.6 |
| CP-13 | Alternative Security Mechanisms | MS8.6 |
IA Identification and Authentication
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | MS8.2MS8.3 |
| IA-02 | User Identification And Authentication | MS8.3 |
| IA-04 | Identifier Management | MS8.3 |
| IA-05 | Authenticator Management | MS8.3 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | BP2.1MS8.3 |
| IA-12 | Identity Proofing | BP2.1MS8.3 |
IR Incident Response
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | CRM.3MS8.2MS8.5 |
| IR-02 | Incident Response Training | CRM.3MS8.5 |
| IR-03 | Incident Response Testing And Exercises | CRM.3MS8.5MS9.2 |
| IR-04 | Incident Handling | CRM.3MS8.5 |
| IR-05 | Incident Monitoring | MS8.5 |
| IR-06 | Incident Reporting | CRM.3MS8.5 |
| IR-07 | Incident Response Assistance | MS8.5 |
| IR-08 | Incident Response Plan | CRM.3MS8.5 |
| IR-09 | Information Spillage Response | MS8.5 |
MA Maintenance
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | MS8.2 |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | MS8.2PHYS.1 |
| PE-02 | Physical Access Authorizations | PHYS.1 |
| PE-03 | Physical Access Control | PHYS.1 |
| PE-04 | Access Control For Transmission Medium | PHYS.1 |
| PE-05 | Access Control For Display Medium | PHYS.1 |
| PE-06 | Monitoring Physical Access | PHYS.1 |
| PE-08 | Access Records | PHYS.1 |
| PE-09 | Power Equipment And Power Cabling | PHYS.1 |
| PE-10 | Emergency Shutoff | PHYS.1 |
| PE-11 | Emergency Power | PHYS.1 |
| PE-12 | Emergency Lighting | PHYS.1 |
| PE-13 | Fire Protection | PHYS.1 |
| PE-14 | Temperature And Humidity Controls | PHYS.1 |
| PE-15 | Water Damage Protection | PHYS.1 |
| PE-16 | Delivery And Removal | PHYS.1 |
| PE-17 | Alternate Work Site | PHYS.1 |
| PE-18 | Location Of Information System Components | PHYS.1 |
| PE-19 | Information Leakage | PHYS.1 |
| PE-20 | Asset Monitoring and Tracking | PHYS.1 |
| PE-21 | Electromagnetic Pulse Protection | PHYS.1 |
| PE-22 | Component Marking | PHYS.1 |
| PE-23 | Facility Location | PHYS.1 |
PL Planning
PM Program Management
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| PM-01 | Information Security Program Plan | CRM.1GOV.1MS10.1MS8.1MS8.2 |
| PM-02 | Information Security Program Leadership Role | CRM.1GOV.1MS8.1 |
| PM-08 | Critical Infrastructure Plan | MS9.1 |
| PM-09 | Risk Management Strategy | CRM.1GOV.1MS10.1MS10.2MS8.1 |
| PM-11 | Mission and Business Process Definition | MS9.1 |
| PM-12 | Insider Threat Program | MS2.1 |
| PM-13 | Security and Privacy Workforce | MS8.13 |
| PM-14 | Testing, Training, and Monitoring | MS8.13MS9.2 |
| PM-15 | Security and Privacy Groups and Associations | CRM.2 |
| PM-16 | Threat Awareness Program | CRM.2 |
| PM-18 | Privacy Program Plan | MS7.1 |
| PM-20 | Dissemination of Privacy Program Information | MS7.1 |
| PM-25 | Minimization of Personally Identifiable Information Used in Testing, Training, and Research | MS7.1 |
| PM-26 | Complaint Management | MS7.1 |
| PM-28 | Risk Framing | MS10.1 |
| PM-29 | Risk Management Program Leadership Roles | CRM.1GOV.1MS10.1MS8.1 |
| PM-30 | Supply Chain Risk Management Strategy | MS10.1 |
| PM-31 | Continuous Monitoring Strategy | MS10.1 |
| PM-32 | Purposing | MS10.1 |
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| PT-01 | Policy and Procedures | MS7.1MS8.2 |
| PT-02 | Authority to Process Personally Identifiable Information | MS7.1 |
| PT-03 | Personally Identifiable Information Processing Purposes | MS7.1MS8.7 |
| PT-04 | Consent | MS7.1MS8.7 |
| PT-05 | Privacy Notice | MS7.1MS8.7 |
| PT-06 | System of Records Notice | MS7.1 |
| PT-07 | Specific Categories of Personally Identifiable Information | MS7.1 |
| PT-08 | Computer Matching Requirements | MS7.1 |
RA Risk Assessment
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | MS10.1MS10.2MS8.2 |
| RA-02 | Security Categorization | MS10.2 |
| RA-03 | Risk Assessment | CRM.2MS10.1MS10.2MS8.11 |
| RA-05 | Vulnerability Scanning | CRM.2MS10.2MS8.11 |
| RA-07 | Risk Response | MS10.1MS10.2MS8.11 |
| RA-09 | Criticality Analysis | MS10.2MS9.1MS9.3 |
| RA-10 | Threat Hunting | CRM.2MS10.2 |
SA System and Services Acquisition
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | MS8.2 |
| SA-02 | Allocation Of Resources | MS8.1 |
| SA-03 | Life Cycle Support | BP2.1MS1.1 |
| SA-04 | Acquisitions | BP2.1MS13.1MS8.8 |
| SA-08 | Security Engineering Principles | BP2.1MS1.1 |
| SA-09 | External Information System Services | BP2.2MS13.1MS6.1MS8.8MS9.3 |
| SA-10 | Developer Configuration Management | MS8.4 |
| SA-11 | Developer Security Testing | BP2.1MS8.11MS8.4 |
| SA-17 | Developer Security and Privacy Architecture and Design | BP2.1 |
| SA-21 | Developer Screening | MS8.8 |
SC System and Communications Protection
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | MS8.2 |
| SC-05 | Denial Of Service Protection | MS8.9 |
| SC-07 | Boundary Protection | MS8.9 |
| SC-08 | Transmission Integrity | BP2.1BP2.2MS13.2MS6.1MS8.9 |
| SC-12 | Cryptographic Key Establishment And Management | BP2.1 |
| SC-13 | Use Of Cryptography | BP2.1 |
| SC-16 | Transmission Of Security Parameters | BP2.2MS6.1 |
| SC-18 | Mobile Code | MS8.10 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | MS8.9 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | MS8.9 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | MS8.9 |
| SC-23 | Session Authenticity | BP2.1 |
| SC-24 | Fail in Known State | MS8.6 |
| SC-44 | Detonation Chambers | MS8.10 |
| SC-46 | Cross Domain Policy Enforcement | MS8.9 |
| SC-47 | Alternate Communications Paths | MS8.9 |
SI System and Information Integrity
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | MS1.1MS8.2 |
| SI-02 | Flaw Remediation | MS8.11MS8.4 |
| SI-03 | Malicious Code Protection | MS8.10 |
| SI-04 | Information System Monitoring Tools And Techniques | MS2.1MS8.10MS8.12MS8.5 |
| SI-05 | Security Alerts And Advisories | CRM.2MS8.11MS8.5 |
| SI-07 | Software And Information Integrity | MS8.10MS8.4 |
| SI-08 | Spam Protection | MS8.10 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | BP2.2MS1.1MS13.2MS2.1MS5.1MS6.1 |
| SI-12 | Information Output Handling And Retention | BP2.2MS1.1MS13.2MS2.1MS5.1MS6.1MS7.1MS8.7 |
| SI-16 | Memory Protection | MS8.10 |
| SI-17 | Fail-safe Procedures | MS8.6 |
SR Supply Chain Risk Management
| Control | Name | Lloyd's Minimum Standards References |
|---|---|---|
| SR-01 | Policy and Procedures | MS13.1MS8.2MS8.8MS9.3 |
| SR-02 | Supply Chain Risk Management Plan | MS13.1MS8.8MS9.3 |
| SR-03 | Supply Chain Controls and Processes | MS8.8MS9.3 |
| SR-04 | Provenance | MS8.8 |
| SR-05 | Acquisition Strategies, Tools, and Methods | MS8.8 |
| SR-06 | Supplier Assessments and Reviews | MS13.1MS8.8 |
| SR-08 | Notification Agreements | MS13.1MS8.8 |
| SR-10 | Inspection of Systems or Components | MS8.8 |